The AI Security Arms Race
AI has fundamentally changed the crypto security landscape, putting sophisticated attack tools in the hands of hackers that were once exclusive to defenders. Mitchell Amador, CEO of Immunefi, explained during Token2049 in Singapore that vulnerability discovery has become nearly instant exploitation. The advanced auditing tools his firm developed are no longer exclusive to security teams.
“If we have that, can the North Korean Lazarus group build similar tooling? Can Russian Ukrainian hacker groups build similar such tooling?” Amador asked. “The answer is that they can.” This creates a worrying symmetry where well-funded hacking operations now have access to capabilities that outperform most traditional auditing firms.
Social Engineering Goes Mass Market
Perhaps more concerning is how AI has made sophisticated social engineering attacks incredibly cheap. Amador highlighted AI-generated phishing calls that can impersonate colleagues with disturbing accuracy. “You can execute that for pennies with a well-thought-out system of prompts, and you can execute those in mass. That is the scary part of AI.”
The scale of organized hacking operations is staggering. Groups like Lazarus likely employ “at least a few hundred guys, if not probably low thousands working around the clock” on crypto exploits as a major revenue source for North Korea’s economy. Recent intelligence reports found competitive pressures from annual revenue quotas drive operatives to protect individual assets rather than coordinate security improvements.
Bug Bounties Hit Their Limits
Immunefi has facilitated over $100 million in payouts to white-hat hackers, but Amador told Decrypt the platform has “hit the limits” as there aren’t “enough eyeballs” to provide necessary coverage across the industry. The constraint isn’t just researcher availability—bug bounties face an intrinsic zero-sum game problem that creates perverse incentives for both sides.
Researchers must reveal vulnerabilities to prove they exist, but they lose all leverage once disclosed. Immunefi mitigates this by negotiating comprehensive contracts that specify everything before disclosure occurs. Dmytro Matviiv, CEO of HackenProof, offered a more optimistic view, noting new researchers join platforms annually and progress quickly from simple findings to complex vulnerabilities.
The Attack Surface Expands Beyond Code
While smart contract security has matured, the most devastating exploits increasingly bypass code entirely. The $1.4 billion Bybit hack earlier this year highlighted this shift, with attackers compromising front-end infrastructure to replace legitimate multi-sig transactions rather than exploiting any smart contract vulnerability.
“That wasn’t something that would have been caught with an audit or bug bounty,” Amador said. “That was a compromised internal infrastructure system.” Despite improvements in traditional security areas, the industry is “not doing so hot” on multi-sig security, spear phishing, anti-scam measures, and community protection.
Immunefi has launched a multi-sig security product that assigns elite white-hat hackers to manually review every significant transaction before execution, which would have caught the Bybit attack. But Amador acknowledged it’s a reactive measure rather than preventative.
Early Detection Becomes Critical
Effective security requires catching vulnerabilities as early as possible in the development process. Amador described a hierarchy of costs that increases dramatically at each stage: “Bug bounty is the second most expensive, the most expensive being the hack.”
Immunefi’s response has been to embed AI directly into developers’ GitHub repositories and CI/CD pipelines, catching vulnerabilities before code reaches production. Amador predicts this approach will trigger a “precipitous drop” in DeFi hacks within one to two years, potentially reducing incidents by another order of magnitude.
While hack severity remains high, Amador noted that “the incidence rate is going down, and the level of severity of most of the bugs is going down, and we’re catching more and more of these things in the earlier stages of the cycle.”
When asked what single security measure every project should adopt, Amador called for a “Unified Security Platform” addressing multiple attack vectors. Fragmented security essentially forces projects to “do the research yourself” on products, limitations, and workflows.
“We are not yet to the point where we can handle trillions and trillions of assets,” Amador concluded. “We’re just not quite there at prime time.” The industry continues its uneven progress, with 2024 becoming the worst year for hacks despite improvements in code security, as hack patterns follow predictable mathematical distributions making single large incidents inevitable rather than anomalous.
